Critical File Monitoring using Native OS functionality and ESM

Document created by dskeeles@hpe.com on Dec 21, 2010
Version 1Show Document
  • View in full screen mode

This document describes the native file auditing functionality of Windows and Linux (2003/2008 and RHEL4), and how these can be configured to generate OS audit events when a critical file is read, written or modified. It then provides example content on how these events can be correlated by ESM to provide concise actionable data.


As always, this is an organic document, and users are invited to use the content to-date, and then add their own observations and methods as they develop the techniques further.

 

This is not official ArcSight content, and the user uses any contents of this document at their own risk.

Outcomes